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O , Abstract 



We describe an algorithm for proving termination of programs abstracted to systems of 
monotonicity constraints in the integer domain. Monotonicity constraints are a non-trivial 
extension of the well-known size-change termination method. While deciding termination 
for systems of monotonicity constraints is PSPACE complete, we focus on a well-defined 
and significant subset, which we call MCNP, designed to be amenable to a SAT-based 
iy-\ ■ solution. Our technique is based on the search for a special type of ranking function 

defined in terms of bounded differences between multisets of integer values. We describe 
the application of our approach as the back-end for the termination analysis of Java 
Bytecode (JBC). At the front-end, systems of monotonicity constraints are obtained by 
abstracting information, using two different termination analyzers: AProVE and COSTA. 
Preliminary results reveal that our approach provides a good trade-off between precision 
and cost of analysis. 
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1 Introduction 

Proving termination is a fundamental problem in verification. The challenge of ter- 
mination analysis is to design a program abstraction that captures the properties 
needed to prove termination as often as possible, while providing a decidable suf- 
ficient criterion for termination. Typically, such abstractions represent a program 
as a finite set of abstract transition rules which are descriptions of program steps, 
where the notion of step can be tuned to different needs. The abstraction considered 
in this paper is based on monotonicity-constraint systems (MCSs). 

The MCS abstraction is an extension of the SCT (size-change termination (Lee 
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et al. 2001)) abstraction, which has been studied extensively during the last decade 
(see |http: //www2.mta. ac . il/~amirben/sct .html for a summary and references). 
In the SCT abstraction, an abstract transition rule is specified by a set of inequalities 
that show how the sizes of program data in the target state are bounded by those in 
the source state. Size is measured by a well-founded base order. These inequalities 
are often represented by a size- change graph. 

The size-change technique was conceived to deal with well-founded domains, 
where infinite descent is impossible. Termination is deduced by proving that any 
(hypothetical) infinite run would decrease some value monotonically and endlessly, 
so that well-foundedness would be contradicted. 

Extending this approach, a monotonicity constraint (MC) allows for any con- 
junction of order relations (strict and non-strict inequalities) involving any pair of 
variables from the source and target states. So in contrast to SCT, one may also 
have relations between two variables in the target state or two variables in the source 
state. Thus, MCSs arc more expressive, and (jCodish et al. 200"5|) observe that earlier 



analvzers based on monotonicitv constraints ( Lindenstrauss and Sagiv 1997 Codish 
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and Taboch 1999: ILindenstrauss et al. 2004^ applv a termination test which is sound 
and complete for SCT, but incomplete for monotonicity constraints, even if one does 
not change the underlying model, namely that 
"data" are from an unspecified well-founded do- 
main. They also point out that monotonicity con- 
straints can imply termination under a different 
assumption — that the data are integers. Not be- 
ing well-founded, integer data cannot be handled 
by SCT. As an example, consider the Java program 
on the right which computes the average of x and 
y. The loops in this program can be abstracted to 
the following monotonicity-constraint transition rules: 

(1) a{x, y) :- x> y,x> x' , y' > y,x' > y'; a{x' , y') 

(2) a{x,y) :- y > x,x' > x,y > y',y' > x'; a{x',y') 

To prove termination of the Java program it is sufficient to focus on the corre- 
sponding abstraction. Note that termination of this program cannot be proved using 
SCT, not only because SCT disallows constraints between source variables (such 
as x>y), but also because it computes with integers rather than natural numbers. 

To see how the transition constraints imply termination, observe that if (1) is 
repeatedly taken, then the value of y grows; constraint x > y (with the fact that x 
descends) implies that this cannot go on forever. In (2), the situation is reversed: 
y descends and is lower-bounded by x. In addition, constraint y' > x' of rule (2) 
implies that, once this rule is taken, there can be no more applications of (1). 
Therefore any (hypothetical) infinite computation would eventually enter a loop of 
(l)s or a loop of (2)s; possibilities which we have just ruled out. In this paper, we 
show how to obtain such termination proofs automatically using SAT solving. 

Although MCS and SCT are abstractions where termination is decidable, they 
have a drawback: the decision problems are PSPACE complete and a certificate for 
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termination under these abstractions can be of prohibitive complexity (not "poly- 
nomially computable" (jBen-Amram 2009]) ). Typical implementations based on the 
SCT abstraction apply a closure operation on transition rules which is exponential 
both in time and in space. (jBen-Amram and Codish 2008^ addressed this problem 
for SCT, identifying an NP complete subclass of SCT, called SCNP, which yields 
polynomial-size certificates. Moreover, (|Ben-Amram and Codish 2008P automated 
SCNP using a SAT solver. Experiments indicated that, in practice, this method 
had good performance and power when compared to a complete SCT decision pro- 
cedure, and had the additional merit of producing certificates. 

In this paper we tackle the similar problem to prove termination of nionotonicity- 
constraint systems in the integer domain. As noted above, the integer setting is more 
complicated than the well-founded setting. Termination is often proved by looking 
at differences of certain program values (which should be decreasing and lower- 
bounded). One could simulate such reasoning in SCT by creating fresh variables to 
track the non-negative differences of pairs of original variables. However this loses 
precision and may square the number of variables, which is an exponent in the com- 
plexity of m ost SCT algorithms. Instead, we use an idea from ( Bcn-Amram and 



Codish 2008) which consists of mapping program states into multisets of argument 
values. The adaption of this method to integer data is non-trivial. Our new solution 
uses the following ideas: (1) We associate two sets with each program point and 
define how to "subtract" them so that the difference can be used for ranking (gen- 
eralizing the difference of two integers). This avoids the quadratic growth in the 
exponent of the complexity, since we are only working with the original variables 
and relations, and is also more expressive. (2) We introduce a concept of "ranking 
functions" which is less strict than typically used but still suffices for termination. It 
allows the co-domain of the function to be a non-well-founded set that has a well- 
founded subset. This gives an additional edge over the naive reduction to SCT, 
which can only make use of differences which are definitely non-negative. 

After presenting preliminaries in Sect. [2l Sect. |3] introduces ranking structures^ 
which are termination witnesses. In Sect. |4] we show that such a witness can be 
verified in polynomial time, hence the resulting subclass of terminating MCSs lies 
in NP. Consequently, we call it MCNP. In Sect. [5] we devise an algorithm that 
uses a SAT solver as a back-end to solve the resulting search problems. Sect. [6] 
describes an empirical evaluation using a prototypical implementation as the back- 
end for termination analysis of Java Bytecode (JBC). Results indicate a good trade- 
off between precision and cost of analysis. All proofs and further details of the 
evaluation can be found in the appendices. 

Related work. Termination analysis is a vast field and we focus here on the most 
closely rel ated work. On termination analvzers for JBC. we mention COSTA ( Albert 
et al. 2008V Julia fSpoto et al. 2010[). and AProVE (|Brockschmidt et al. 20101 Otto 



et al. 2010jTBoth COSTA and Julia abstract programs into a CLP form, as in this 
work; but use a richer constraint language that makes termination of the abstract 
program undecidable. On extending SCT to the integer domain: ( [Avery 2006D uses 
constraints of the form x>y' , x>y' , x<y' , x<y' along with polyhedral state invari- 
ants (similar constraints as those used by COSTA and Julia) to find lower-bounded 
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combinations of the variables. ([Manolios and Vroon 2006)) uses SCT constraints on 
pseudo-variables that represent "measures" invented by the system. This allows it 
to handle integers by taking, for example, the differences of two variables as a mea- 
sure. (jDershowitz et al. 20011 Serebrenik and De Schreye 2004 1 prove termination of 



logic programs that depend on numerical constraints by inferring "level mappings" 
based on constraints selected from the source program; so, a constraint like x > y 
can trigger the use of x — y as a level mapping. There are numerous applications of 
SAT for deciding termination problems for all kinds of programs (e.g., one of the 
first such papers is (|Codish et al. 2006J) ). 

2 Monotonicity-Constraint Systems and Their Termination 

Our method is programming-languagc independent. It works on an abstraction of 
the program provided by a front-end. An abstract program is a transition system 
with states expressed in terms of a finite number of variables {argument positions) . 

Definition 1 (constraint transition system) 

A constraint transition system is an abstract program, represented by a directed 
multigraph called a control-flow graph (CFG). The vertices are called program points 
and they are associated with fixed numbers (arity) of argument positions. We write 
p/n to specify the arity of vertex p. A program state is an association of a value 
from the value domain to each argument position of a program point p, denoted 
p{xi, . . . ,Xn) and abbreviated p{x). The set of all states is denoted St. The arcs 
of the CFG are associated with transition rules, specifying relations on program 
states, which we write as p{x) :- tt; q{y). The transition predicate tt is a formula in 
the constraint language of the abstraction. 

Note that a state corresponds to a ground atom: argument positions arc associ- 
ated with specific values. In a transition rule, positions arc associated with variables 
that can only be constrained through tt. Thus in the notation p{x), x may represent 
ground values or variables, according to context. The constraint language in our 
work is that of monotonicity constraints. 

Definition 2 [monotonicity constraint) 

A monotonicity constraint (MC) 7ronT^ = xUyisa conjunction of constraints 
X > y where x,y € V, and > € {>, >}. We write n \= x > y whenever x l> y 
is a consequence of tt (in the theory of total orders). This consequence relation is 
easily computed, e.g., by a graph algorithm. A transition rulep(a;) :- tt; q{y), where 
TT is a MC, is also known as a monotonicity- constraint transition rule. An integer 
monotonicity- constraint transition system (MCS Jl| is a constraint transition system 
where the value domain is Z and transition predicates are monotonicity constraints. 

It is useful to represent a MC as a directed graph (often denoted by the letter g), 
with vertices xUy, and two types of edges {x, y): weak and strict, li t: \= x > y then 
there is a strict edge from x to y and if tt |= x > y (but not x > y) then the edge is 

^ In this work only the integer domain is of interest, hence "integer" will be omitted. 
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weak. Note that there are two kinds of graphs, those representing transition rules 
and the CFG. We often identify an abstract program with its set Q of transition 
rules, the CFG being implicitly specified. 

Definition 3 [run, termination) 

Let Q be a transition system. A run oiQ is a sequence po(So) -^ Pi{xi) -^ P2{x2) ■ ■ ■ 
of states labeled by constraints such that each labeled pair of states, Pi{xi) -4- 
Pi+i(a;i+i), corresponds to a transition rule Pi{x) :- nf, pi^i{y) from Q (identical 
except that variables x and y arc replaced by values Xi and Xi+i) and such that tt^ 
is satisfied. A transition system terminates if it has no infinite run. 

Example 4 

This example presents a MCS in textual form as well as graphical form. This system 
is terminating, and in the following sections we shall illustrate how our method 
proves it. In the graphs, solid arrows stand for strict inequalities and dotted arrows 
stand for weak inequalities. 
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3 Ranking Structures for Monotonicity- Constraint Systems 

This section describes ranking structures, a concept that we introduce for proving 
termination of MCSs. Scct. l3.11 prcscnts the necessary notions in general form. Then, 
Sect. 13.2] specializes them to the form we use for MCNP. 

3.1 Ranking structures 

Recall that ^ is a quasi-order if it is transitive and reflexive; its strict part x >- y is 
the relation (x ^ j/) A (y ^ x); the quasi-order is well-founded if there is no infinite 
chain with >-. A set is well-founded if it has a tacitly-understood well-founded order. 
A ranking function maps program states into a well-founded set, such that every 
transition decreases the function's value. As shown in (|Ben-Amram 20lT|) . for every 
terminating MCS there exists a corresponding ranking function. However, these are 
of exponential size in the worst case. Since our aim is NP complexity, we cannot use 
that construction, but instead restrict ourselves to polynomially sized termination 
witnesses. These witnesses, called ranking structures, are more fiexible than ranking 
functions, and suffice for most practical termination proofs. 

Definition 5 (anchor, intermittent ranking function) 

Let 5 be a MCS with state space St. Let {V, ^) be a quasi-order and V^ a well- 
founded subset of v. Consider a function $ : 5/: — > P. Wc say that g € Q is 
a ^-anchor for Q (or that g is anchored by $ for Q) if for every run po{xo) -?■ 
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Pi(xi) ^ ... ^' Pkixk) ^ Pk+iixk+i) where bothpo(So) ^pi(xi) and pkixk) ^ 
Pfc+i(.Tfc+i) correspond to the transition rule 5, we have $(pi(xi)) ^ $(pi+i(xi+i)) 
for all < i < A:, where at least one of these inequalities is strict; and ^{pi{xi)) G P+ 
for some < i < fc. A function $ which satisfies the above conditions is called an 
intermittent ranking function (IRF)o 

Example 6 

Consider the transition rules from Ex. H) Let Q = {^1,32} and let $i(p(a;)) = 
max{x2TX^) — xi. In any run built with gi and 172, the value of $1 is non-negative 
at least in every state followed by a transition by gi. Moreover, a transition by gi 
decreases the value strictly and a transition by 32 decreases it weakly. Hence, gi is 
anchored by $1 for Q (in Sect. 13.21 we come back to this example and show how $1 
fits the patterns of termination proofs that our method is designed to discover). 

Definition 7 [ranking structure) 

Consider Q and T) as in Def. [H Let $1, . . . , $„ '■ St ^ V. Let Qi consist of all 
transition rules g € G where $1 anchors g for Q. For 2 < i < m, let Qi consist of all 
transition rules g G G\ (Gi U . . . U Qi-i) where $i anchors g in G\ {Gi U . . . U Gi-i)- 
We say that ($1, . . . , $,„) is a ranking structure for (? if t/i U . . . U Grn ~ G- 

Note that by the above definition, for every g & G there is a (unique) Gi with g G Gi ■ 
We denote this index i as i{g) (i.e., g G Gi{g) for all g G G)- 

Example 8 

For the program {51, (72} of Ex. El a ranking structure is ($1, $2) with $1 as in Ex. [6] 
and $2(p(S)) = X3 — X2. Here, we have i{gi) ~ 1 and 1(32) = 2. Later, in Ex. [TSl 
and 1271 we will extend the ranking structure to the whole program {.91,52,33,54}- 

The concept of ranking structures generalizes that of lexicographic global rank- 
ing functions used, e.g., in (jBen-Amram and Codish 2008| lAlias et al. 2010p . A 
lexicographic ranking function is a ranking structure, however, the converse is not 
always true, since the function $ does not necessarily decrease on a transition rule 
which it anchors, and because $ may assume values out of 2?+ in certain states. 

Theorem 9 

If there is a ranking structure for 5, then G terminates. 

Definition 10 

A ranking structure ($1, $2, ■ • ■ , '^m) for G is irredundant if for all j < jti, there is 

a transition g G G such that i(g) = j. 

It follows easily from the definitions that if there is a ranking structure for G, there 
is an irredundant one, of length at most \G\- 



The term "intermittent ranking function" is inspired by l|Manna and Waldinger 1978^. 
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3.2 Multiset Orders and Level Mappings 

The building blocks for our construction are four quasi-orders on multisets of in- 
tegers, and a notion of level mappings^ which map program states into pairs of 
multisets, whose difference (not set-theoretic difference; see Def. [T5] below) will 
be used to rank the states |f| The difference will be itself a multiset, and we now 
elaborate on the relations that we use to order such multisets. 

Definition 11 {multiset types) 

Let pn(Z) denote the set of multisets of integers of at most n elements, where n is 
fixed by contexts The /i-ordered multiset type, for /x e { max, min, ms, dms }, is 
the quasi-ordered set (pn(Z),^^) where: 

1. (max order) S ^"'°^ T holds iff 7nax{S) > max{T), or T is empty; S y"""^ T 
holds iff max(S) > max{T), or T is empty while S is not. 

2. (mm order) S >:""' T holds iff min{S) > min{T), or S is empty; S >-'"™ T 
holds iff min{S) > min(T), or S is empty while T is not. 

3. (multiset order (Dershowitz and Manna 1979^ ) S )-'"''' T holds iff T is ob- 
tained by replacing a non-empty U C S hy a (possibly empty) multiset V 
such that U ^"'^^ V; the weak relation S >;'"'' T holds iff S ^"^ T or S" = T. 

4. (dual multiset order IBen-Amram and Lee 2001^ ) S >-''™« T holds iff T is 



obtained by replacing a sub-multiset C/ C S' by a non-empty multiset V with 
U ^""" V] the weak relation S >;''"* T holds iff S y''"'' T or S ^T. 

Example 12 

For 5*= {10,8,5}, r= {9,5}: S y"'"'' T, T>z"''''S, 5 ^""' T, and T >-*"" S". 

Definition 13 {well-founded subset of multiset types) 

For /i £ { max, min, ms, dms }, we define (p„(Z), ^'')+ as follows: For min (respec- 
tively max) order, the subset consists of the multisets whose minimum (resp. max- 
imum) is non- negative. For ms and dms orders, the subset consists of the multisets 
all of whose elements are non-negative. 

Lemma 14 

For all n G {m,ax,min,ms,dms}, (pn(Z),^'') is a total quasi-order, with )^'' its 

strict part; and (p„(Z),^'^)_|- is well-founded. 

For MCs over the integers, it is necessary to consider differences: in the simplest 
case, we have a "low variable" x that is non-descending and a "high variable" y that 
is non- ascending, so y— x is non-ascending (and will decrease if a; or y changes). If we 
also have a constraint like y > x,to bound the difference from below, we can use this 



^ A reader familiar with previous works using this term should note that here, a level mapping 

is not in itself some kind of ranking function. 
* For monotonicity-constraint systems, n is the maximum arity of program points. 
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for ranking a loop (we refer to this situation as "the 11" — due to the 
diagram on the right). In the more general case, we consider sets of 
variables. We will search for a similar 11 situation involving a "low 
set" and a "high set". We next define how to form a difference of 
two sets so that one can follow the same strategy of "diminishing difference" . 

Definition 15 [multiset difference) 

Let L^H be non-empty multisets with types ULTfJ-H respectively. Their difference 

H ~ L is defined in the following way, depending on the types (there are 6 cases) : 

1. For /ii G {max, min}, H — L = {h — t^L{L) \ h G H} and has the type of H. 
(Here, hl{L) signifies min{L) or max{L) depending on the value oi fi^). 

2. For /ii G {ms,dms} and ^h G {min,max}, H -- L = {ij.h{H) — £ \ £ G L} 
and has type JI]^ (where ms = dms and dms = ms). 

For L and H such that H — L is defined, we say that the types of L and H are 
compatible. We write H ±) L ii the difference belongs to the well-founded subset. 

Note that 3 relates multisets of possibly different types and is not an order re- 
lation. Termination proofs do not require to define the difference of multisets with 
types in {ms,dms}. To see why, observe that in "the II", only one multiset must 
change strictly, and the non-strict relations ^""', >^''""' arc contained in ^™°^, 
ymin^ respectively. Note also that H ±) L is equivalent, in all relevant cases, to 
fJ'iiH) > tJ'2{L) with fJ.i,fJ.2 G {min,max}. The intuition into why multiset differ- 
ence is defined as above is rooted in the following lemma. 

Lem,m,a 16 

Let L,H he two multisets of compatible types ^LtILh, and let /i/j be the type of 

H — L. Let L', H' be of the same types as L, H respectively. Then 

H >^" H' M<^^ L' =^ H -L >"" H' - L'; 
H y^" H' M <^^ L' =^ H - Ly"" H' -L'; 
H >f" H' AL ^"^ L' =^ H - L ^"^ H' - L' . 

Level mappings are functions that facilitate the construction of ranking structures. 
Three types of level mappings are defined in (jBen-Amram and Codish 2008^ : nu- 
meric, plain, and tagged. In this paper we focus on "plain" and "tagged" level 
mappings and we adapt them for multisets of integers. Numeric level mappings 
have become redundant in this paper due to the passage from ranking functions to 
ranking structures. We first introduce the extension for plain level mappings. 

Definition 17 {bi-niultiset level mapping, or "level mapping" for short) 
Let Q he a MCS. A bi-multiset level mapping, /^^^.^^ maps each program state 
p{x) to a pair of (possibly intersecting) multisets p^?'^{x) = {ui, . . . ,ui} C x 
and p/^ (x) = {vi, . . . ,Vk} C x with types indicated respectively by fJ-LTfJ-H G 
{max,min,ms,dms}. Only compatible pairs fiLyfJ-H are admitted. The selection 
of argument positions only depends on the program point p. 
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Example 18 

The following are the level mappings used (in Ex. I27p to prove termination of the 

program of Ex. HI Here, each program point p is mapped to (pf°"'(x),p/^ i^))- 

fLn,maxiPix)) = ({ ^^'l } , { a;2, 2:3 }) Irain,max{p{^)) = {{ ^2} , { ^3.}) 

fLn,maxi<li^)) ^ {{ ^1 } , { ^2 }) fLn.maxili^)) ==({},{}) 



We now turn to tagged level mappings. Assume the context of Def. [17] and let 
M denote the sum of the arities of all program points. A tagged bi-multiset level 
mapping is just like a bi-multiset level mapping, except that set elements are pairs 
of the form (x, t) where x is from x and i < Af is a natural constant, called a tag. 
We view such a pair as representing the integer value Mx + t (recall that x is an 
integer). This transforms tagged multisets into multisets of integers, so Defs. HSl 
[TTI and the consequent definitions and results can be used without change. 

Tags "prioritize" certain argument positions and can usefully turn weak inequal- 
ities into strict ones. For example, consider a transition rule p{x) :- xi > yi,Xi > 
2/2, ■• ■ 'iPiy)- The tagged set {(xi, 1), (x2, 0)} is strictly greater (in ms order as well 
as in max order) than {(jji, 1), (y2,0)} (because tt 1= (xi, 1) > (1/2, 0)). The plain 
sets {xi, X2} and {1/1,2/2} do not satisfy these relations. Thus tagging may increase 
the chance of finding a termination proof. We do not have any fixed rule for tagging; 
our SAT-based procedure will find a useful tagging if one exists. In the remainder 
we write "level mapping" to indicate a, possibly tagged, bi-multiset level mapping. 

Level mappings are applied in termination proofs to express the diminishing dif- 
ference of their low and high sets. To be useful, we also need to express a constraint 
relating the high and low sets, providing, figuratively, the horizontal bar of "the 
n" . A transition rule that has such a constraint is called bounded. 

Definition 19 {hounded) 

Let Qhc a. MCS, / a level mapping|3 and g ^ Q. A transition rule g = p{x) :- tt; q{ij) 

in Q is called bounded w.r.t. f ii tt \= p ^ ±> p'i"". 

Definition 20 (orienting transition rules) 

Let / be a level mapping. (1) / orients transition rule g — p{x) :- T:;q{y) if tt 1= 
P/^ i^) fc 1/^ (y) ^-^d TT 1= p^?^'{x) ^ q''f""iy)', (2) / orients g strictly if, in 
addition, TT hP/'^''(S) >- qf^^iy) or tt [=p^f"^ix) ^ ^''"'(y). 

Example 21 

We refer to Ex. [4] and the level mapping /^j„ ^^^ from Ex. [18] Function fmin,max 
orients all transition rules, where gi and 173 are oriented strictly; gi and 54 are 
bounded w.r.t. /^j„ ^q^. (the reader may be able to verify this by observing the 
constraints, however later we explain how our algorithm obtains this information). 



We sometimes write / (for siiort) instead of /^^^ 
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Corollary 22 {of Def. [13 and Lemma 16) 

Let / be a level mapping and define $/(p(a;)) — p]*^'(x) — p^f^{x). If / orients 

g = p{x) :- tt; q{y) , then n ^ ^f{p{x)) ^ $^(q(y)); and if / orients g strictly, then 

TT h */(p(s)) y- $/(g(y)). 

The next theorem combines orientation and bounding to show how a level map- 
ping induces anchors. Note that we refer to cycles in the CFG also as "cycles in ^" , 
as the CFG is implicit in Q. 

Theorem 23 

Let Q he a. MCS and / a level mapping. Let g = p{x) :- tt; q{y) be such that every 
cycle C including g satisfies these conditions: (1) all transitions in C are oriented 
by /, and at least one of them strictly; (2) at least one transition in C is bounded 
w.r.t. /. Then g is a ^/-anchor for Q, where $/(p(x)) = p/^ {x) ~ p'-?^{x). 

Definition 24 (MCNP anchors and ranking functions) 

Let Q he a MCS and / a level mapping. We say that g is a MCNP-anchor for Q 
w.r.t. / if / and g satisfy the conditions of Thm. 23. The function $/ is called a 
MCNP (intermittent) ranking function (MCNP IRF). 

Note that if g is not included in any cycle, then the definition is trivially satisfied 
for any /. Indeed, such transition rules are removed by our algorithm without 
searching for level mappings at all. 

Example 25 

The facts in Ex. I21limplv that gi, 53, and 34 arc MCNP-anchors w.r.t. /,j„;„ ^a^,. 

We remark that numerous termination proving techniques follow the pattern of, 
repeatedly, identifying and removing anchors. However, typically, the function $ 
used for ranking is required to be strictly decreasing, and bounded, on the anchor 
itself, which (at least implicitly) means that a lexicographic ranking function is 
being constructed; see, e.g., ( [Colon and Sipma 2002[ ). The anchor criterion expressed 
in Thm. 23 (inspired by ([Giesl et al. 2007| Thm. 8)) is more powerful. We note that 
the difference is only important with non-well-founded domains. When the ranking 
is on lv done with orders that are a priori well-founded, as for example in ( Giesl et al. 
2006; [Hirokawa and Middeldorp 2005[ ), considering the strictly-oriented transitions 
as anchors is sufhcient. In comparison to ([Giesl et al. 2007]) . we note that they do 
not use the concept of anchors, and propose an algorithm which can generate an 
exponential number of level-mapping-finding subproblems (whereas ours generates, 
in the worst case, as many problems as there are transition rules). 



4 The MCNP Problem 

In this section, we present necessary and sufficient conditions for orientability and 
boundedness. Based on these, we conclude that proving termination with MCNP 
IRFs is in NP. This also forms the basis for our SAT-based algorithm in Sect. [5] 
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Definition 26 (MCNP) 

A system of monotonicity constraints is in MCNP if it has a ranking structure 

which is a tuple of MCNP IRFs. 

It follows from Thm. 9, that if a MCS is in MCNP, then it terminates. 

Example 27 

Consider again Ex. 2] and the level mappings from Ex. [THl Then, ($^i,$j2) is a 
ranking structure for Q. As already observed, gi,g3, and 54 are MCNP-anchors for 
/^. Observe now that /^ is both strict and bounded on 92- 

Ranking structures are constructed through iterative search for suitable level 
mappings which prescribe pairs of (possibly tagged) multisets of arguments which 
must satisfy relations of the form ^^, ^^, and 3. 

Let g = p{x) :- tt; q{y) and S, T be non-empty sets of (tagged) argument positions 
of p or of q. We show how to check for each /i G { max, min, ms, dms } if tt |= S* ^^ 
T. Viewing g as a graph (as in Ex.|4]), let g* denote the transpose of g (obtained by 
inverting the arcs). While tagged level mappings can be represented as "ordinary" 
bi-multiset level mappings (as indicated in Sect. 13. 2p . for their SAT encoding, it is 
advantageous to represent the orders on tagged pairs explicitly: 

TT ^ (.T,i) > (y,j) ^=^ {tt\=x> y)y {{tt \=x>y) Ai> j) ,_^, 

TT^{x,i)>{y,j) ^=^ (tt ha:^ >2/) V((7r 1=2^ > y) Ai > j) 

Below, X, y either both represent arguments, or both represent tagged arguments, 
with relations x > y, x > y interpreted accordingly. 

1. max order: (S >^™''^ T) every y £ T must be "covered" by an a; £ S" such 
that TT \= X > y. Strict descent requires S ^ $ and x > y. 

2. min order: (S ^™"' T) same conditions but on g* (now T covers S). 

3. multiset order: (S ^™'' T) every y € T must be "covered" by an x £ S such 
that TT \= X > y. Furthermore each x £ S either covers each related y strictly 
{x > y) or covers at most a single y. Descent is strict if there is some x that 
participates in strict relations. 

4. dual multiset order: (S >^'*™^ T) same conditions but on g* (now T covers S). 

We also show how to decide if the relation H ^ L holds: For /^i, hh £ {max, min} 
and yUi = IJ.H, H ±) L holds iff I-Lh{H) > /iL (i)lj For /.t^ = min and fin G 
{ms,dms}, H ^ L holds iff H >^™*" L. For /i^ £ {ms,dms} and fiH = rnax, 
H ±i_ L holds iff H ^™'»^ L. For ^l ~ m,ax and ^h G {m,s,dm,s}, H ±l L holds 
if m,in{H) > m,ax{L). For /i^ £ {ms,dms} and fin — niin, H IB L holds if 
m,in{H) > max{L). 

Since the above conditions allow for verification of a proposed MCNP ranking 
structure in polynomial time, we obtain the following theorem. 



Note that checking this amounts to checking for ^^ in the case fi^ = fJ^H = A*; for the other 
cases, max{H) > min{L) holds if there is at least one arc from an H vertex to an L vertex; 
min(H) > max(L) holds if there is an arc from every H vertex to every L vertex. 
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Theorem 28 
MCNP is in NP. 



5 A SAT-based MCNP Algorithm 

Given that MCNP is in NP, wc provide a reduction (an encoding) to SAT which 
enables us to find termination proofs using an off-the-shelf SAT solver. We invoke a 
SAT solver iteratively to generate level-mappings and construct a ranking structure 
($1, $27 • ■ • 7 ^m)- Our main algorithm is presented in Sect. 15.11 Sect. 15.21 discusses 
how to find appropriate level mappings and Sect. l5.3l introduces the SAT encoding. 



5.1 Main algorithm 

Given a MCS Q. the idea is to iterate as follows: while Q is not empty, find a level 
mapping / inducing one or more anchors for Q. Remove the anchors, and repeat. 
The instruction "find a level mapping" is performed using a SAT encoding (for each 
of the compatible pairs of multiset orders) . To improve performance, the algorithm 
follows the sec (strongly connected components) decomposition of (the CFG of) 
Q. This leads to smaller subproblems for the SAT solver and is justified by the 
observation that inter-component transitions are trivially anchors (not included in 
any cycle). In the following let scc{Q) denote the set of non- vacant SCCs of Q (that 
is, SCCs which are not a vertex without any arcs). 

Main Algorithm. 

input : g (a MCS) 

output : p = (/^, /^, . . .) (tuple of level mappings such that (<i>ji , $^2 , . . .) 

is a ranking structure for Q). The algorithm aborts if Q is not in MCNP. 

1. p = {) (empty queue); S = scc{Q) (stack with non- vacant SCCs of Q); 

2. while {S ^ 0) 

• pop C from S (a MCS) and find (using SAT) a level mapping 

/ to anchor some transition rules in C (if none, abort: C ^ MCNP) 

• extend / to program points p not in C by f{p{x)) = (0, 0) 

• append f to p and remove from C the <i>/-anchors that were found 

• push elements of scc{C) to S 

3. return p 

Theorem 29 

The main algorithm succeeds if and only if Q is in MCNP. 

5.2 Finding a level mapping 

The main step in the algorithm is to find a level mapping which anchors some 
transition rules of a strongly-connected MCS. Let Q be strongly connected and / a 
level mapping which orients all transition rules in Q, strictly orients the transition 
rules from a non-empty set S C Q, and where B C Q (non-empty) are bounded. 
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Following Thm. 23, a transition rule g is an anchor if every cycle in Q containing 
g has an element from S and an element from B. We need to check all cycles in Q 
(possibly exponentially many). We describe a way of doing so by numbering nodes 
which lends itself well to a SAT-based solution. 

Definition 30 [node numbering) 

A node numbering is a function num from n program points to { 1, . . . , n }. For 
g = p{x) :~ tt; q{y), we denote Anum{g) — num(q) — num{p). For a set H <^ G, we 
say that num agrees with % if for all g £ Q: Anum(g) > Q ^ g £%. 

Now for g G G, checking that every cycle of G containing g also contains an 
element of S, is reduced to finding a node numbering nums with lS.nums{g) ^ 
which agrees with S. Then, any cycle containing g must contain also an edge g' 
with lS.nums{g') > 0. But this implies that g' € S because nums agrees with S. 

Lemma 31 

Let G: f, S, and B be as above. Then, g G ^ is a MCNP-anchor for G w.r.t / if and 
only if: (l) g Cz S H B; or (2) there are node numberings nums a-nd nums agreeing 
with 5* and B respectively, such that Anums{g) ^ and AnuniBig) 7^ 0. 

Example 32 

We now describe the application of the Main Algorithm to Ex. |4l Initially, there 
is a single SCC, C = G- Using SAT solving (as described in Sect. 15. 3p we find 
that level mapping /^ of Ex. [T8l orients all transitions, strictly orients S = {(71,53} 
and is bounded on B = {31,54}- Hence, by choosing the numbering numsip) = 2, 
numB{q) = 1, nums{p) = 1, nums{q) = 2, we obtain that 51, 53 and 54 are anchors. 
Note that the problem encoded to SAT represents the choice of the level mapping 
and node numbering at once. Now, p is set to (/^), and the anchors are removed 
from C, leaving a SCC consisting of point p and transition rule 52. In a second 
iteration, level mapping /^ of Ex. fTSl is found and appended to p. No SCC remains, 
and the algorithm terminates. 

Note that our algorithm is non-deterministic (due to leaving some decisions to the 
SAT solver). In this example, the first iteration could come up with the numbering 
numBip) = numB^q) = 1, which would cause only 51 to be recognized as an 
anchor. Thus, another iteration would be necessary, which would find a numbering 
according to which 53 and 54 are anchors, since this time there is no other option. 



5.3 A SAT encoding 

Let ^ be a strongly connected MCS (assume the context of the Main Algorithm 
of Sect. 15. ip . For a compatible pair pl,Ph we construct a propositional formula 
^u u which is satisfiable iff there exists a level mapping /^^^ ^^^ that anchors some 
transition rules in G- We focus on tagged level mappings (omitting tags is the same 
as assigning them all the same value). 

Each program point p and argument position i is associated with an integer 
variable tag^. Integer variables are encoded through their bit representation. In the 
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following, we write, for example, \\n > m\\ to indicate that the relation n > m on in- 
teger variables is encoded to a prepositional formula in CNF. Let g = p{x) :- tt; q{y) 
and consider each a, 6 e a; U y. At the core of the encoding, we use a formula Lp^^^^ 
which introduces a propositional variable e^^^ to specify a corresponding "tagged 
edge", e^^^ ^ -k \= {a,tagi) > {b,tag2), as prescribed in Eq. ([T]). Here, tagi and 
tag2 are the integer tags associated with the program points and argument positions 
of a and b (in g). We proceed likewise for the propositional variable e^~,j,. 

Example 33 

Consider 53 = p{xi,X2,x^) :- yi > xi,a;2 > 2/2; 9(yi,2/2) from Ex. 21 The formula 
Vrei contains (among others) the following conjuncts. From {yi > zi), (e^^^^.^ O 
true) and {eyl^^^ O true); from (x2 > 2/2), iexl>y2 ^ ll^«.9p > ^affgll) and 
(^?2>y2 ^ ll^"5p - *^9q\\)- Observe also, ef^>,y^ ^ false and ef^>j^^ O false. 



We introduce the following additional propositional variables: 

• weak^ O g oriented weakly by /pj,,^^ • weakf^^ O q^'f^iy) ^''^ p''?'^{x) 

• strict^ ^ g oriented strictly by ffj,^^fj,„ • strictf^^ O q^f^iy) '^^^ p^°"'(x) 
. hounds ^ pf^'^ix) 3 p^°'"(x) , y,eafc^,g^^p^*»''(a;) >:^" g^'^''(y) 

• anchor^ ^ g is an anchor w.r.t. f in Q , strict^ . ^p^^^^ix) ^^" q^'^^iy) 

and, for every program point ?', two integer variables nunfg and nurrfg to represent 
the node numberings from Def. 1301 

Our encoding takes the following form: 









^see / \geg ] 



The first two conjuncts specify that /^^^.^^ is a level mapping which orients Q^ the 
third is specified as ^^^i — Knaa 'Prei^ ^^'^ ^^^ "^^^^ a^'-' explained below: 

Proposition ip^ imposes the intended meanings on weak^ , strict^ and anchor^ (see 
Def. [inland Lemma 31). 

(weak^ ^ (weakly A weafc^.^;,) A 
strict^ ^ {weak^ A {strictly V strictl^^J) A 
anchor^ -r^ ((p 7^ q) A (||nu7ng 7^ nii77i||| A ||nitm^ 7^ nu7ng||)) V 
((p = q) A strict^ A 6ound») 

Proposition ippos enforces that the node numberings nums and nurriB agree with 
sets S and B, cf. Lemma 31: 

strict'^) A 
>■ bound^) 

Proposition '4'hiqh i^nposes that weak^-^^ and strictf^^ ^^ are true exactly when 
P/'^ (2^) ^3^" 1/^ (y) and p^*^ (x) >-'^" q^ (y), respectively. We focus on the 
case when p^n — max, the other cases are similar and omitted for lack of space. 



€0. = A ( 


(\\nuvnKj < nuin'g\ 
(1 nitm^ < num'^g 


g= p{x):- tt; q(y) 
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The encoding of proposition i/'jou, is similar (and also omitted for lack of space). 



g= p(a:);-7r; q{y) 



l<j<my l<i<n y 

\ l<j<m\ l<i<n / l<i<n / 



The prepositional variables p'°™, Pj '^ , gj"™, and g'^ (1 < « < ?^, 1 < j < w) 
indicate the argument positions of p/n and q/m selected by the level mapping 
/ml-mh ^'^^ ^^^ i*-"^ ^^"^ high sets, respectively. The first subformula specifies that 
a transition rule is weakly oriented by the max order if for each j where q^ *^ is 
selected (i.e., the j-th argument of g is in g''*s''), at least one of the selected positions 
Pj '® has to "cover" q- '^ with a weak constraint Xi > yj . The second subformula 
is similar for the case of strict orientation with the additional requirement that at 
least one p^ '^ should be selected. 

Proposition iptound constrains houndP to be true iff p]'^' ^ p'?™ is satisfied by g. 
As observed in Sect. HI this test boils down to four cases. We illustrate the encoding 
for the case min{p/^ (x)) > max(ji^?'" {x)): 

€oW= A [hound<>^ /\ {{pr^'Ap^j 

g= p{x):— tt; q{y) \ l<i<n,l<j<n 

Proposition ip^^ constrains the level mapping so that for each program point p, the 
sets p'°™ and p'"9'' are not empty. Let V denote the set of program points in Q. 

peV \ \ l<i<n / yi<i<n J J 

6 Implementation and Experiments 

We implemented a termination analyzer based on our SAT encoding for MCNP 
and tested it on three benchmark suites. Experiments were conducted running 
the SAT4J (ILe Berre and Parrain 2010p solver on an Intel Core 13 at 2.93 GHz 
with 2 GB RAM. For further details on our experiments see [Appendix B and 




http: //aprove . informatik.rwth-aachen.de/eval/MCNP 



Suite 1 consists of 81 MCSs obtained from various research papers on termination 
and from abstracting textbook style C programs^ MCNP proves 66 of them ter- 
minating with an average runtime of 0.55s (maximal runtime is 5.15s). This suite 
contains the 32 examples from the evaluation of (jFuhs et al. 2009|) . That paper 
introduced integer term rewrite systems (ITRSs), where standard operations on in- 
tegers are pre-defined, and showed how to use a rewriting-based termination prover 
like AProVE for algorithms on integers. MCNP shows termination of 27 of these. 

^ Using a translator developed by A. Ben-Sliabtai and Z. Mann at Tel-Aviv Academic College. 
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AProV^j proves termination of these 27 and one more example. On the 32 examples 
from (jFuhs et al. 2009p . the average runtime of MCNP is 0.22s, whereas the average 
runtime of AProVE is 5.3s for the examples with no timeout (AProVE times out 
after 60s on 4 examples). This shows that MCNP is sufficiently powerful for rep- 
resentative programs on integers and demonstrates the efhciency of our SAT-based 
impl ementation. The comparison with AProVE on the examples from ( Fuhs et al. 
2009) indicates that MCNP has about the same precision and is significantly faster. 

Suite 2 originates from the Java Bytecode (JBC) programs in the JBC and JBC 
Recursive categories of the International Termination Competition 2010|j 165 MCS 
instances were obtained by first applying the preprocessor of the termination ana- 
lyzer COSTA ([Albert et al. 2008]) resulting in (binary clause) constraint logic pro- 
grams with linear constraints (CLPQ). After minor processing, these are abstracted 
to MCSs (applying SWl Prolog with its CLPQ library). MCNP provides a termi- 
nation proof for 92 of these with an average runtime of 0.66s (maximal runtime 
is 16.31s). In contrast, C0ST4^"I shows termination of 102 programs. However, it 
encounters a (120 second) timeout on 5 instances. COSTA's average runtime for the 
examples with no timeout is 0.076s. From these experiments we see that although 
MCNP is based on very simple ranking functions, it is able to provide many of the 
proofs, and does not encounter timeouts. Moreover, there are 5 programs where 
MCNP provides a proof and COSTA does not (4 due to timeouts). 

Suite 3. Here, the Competition 2010 version of the termination analyzer AProVE 
abstracts JBC programs from the (non-recursive) JBC category of the Termination 
Competiti on 2010 to ITRSs. (This abstraction from (jBrockschmidt et al. 20101 Otto 
et al. 2010) only works for programs without recursion.) To further transform ITRSs 
into MCSs, we apply an abstraction which maps terms to their size and replaces 
non-linear arithmetic sub-expressions by fresh variables. This results in a CLPQ 
representation which is further abstracted to MCSs as for Suite 2. For the resulting 
127 instances, MCNP provides 63 termination proofs, 8 timeouts after 60s, and 
an average runtime of 5.76s (we count timeouts as 60s). To compare, we apply 
AProVE directljilll but fix the abstraction to be the same as in the preprocessor for 
MCNP. This results in 73 termination proofs and 8 timeouts with an average time of 
14.16s. There are 5 instances where MCNP provides a proof not found by AProVE. 
Applying AProVE without fixing the abstraction gives 95 termination proofs, 19 
timeouts, and an average time of 17.12s (there are still 3 instances where MCNP 
provides a proof not found by AProVE). This shows that the additional proving 
power in AProVE comes primarily from the search for the right abstraction. Once 
fixing the abstraction, MCNP is of similar precision and much faster. Thus, it could 
be fruitful to use a combination of tools where the MCNP-analyzer is tried first and 
the rewrite-based analyzer is only applied for the remaining "hard" examples. 



* Using an Intel Core 2 Quad CPU Q9450 at 2.66 GHz with 8 GB RAM. 

® In this competition, AProVE, COSTA, and Julia competed against each other. 

Sec http://www.terniinatioii-portal.org/wiki/Terininatioii_Coinpetition for details. 
^^ Experiments for COSTA were performed on an Intel Core 15 at 3.2 GHz with 3 GB RAM. 
^^ Using an Intel Xeon 5140 at 2.33 GHz with 16 GB RAM and imposing a time limit of 60s. 
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7 Conclusion 

We introduced a new approach to prove termination of monotonicity-constraint 
transition systems. The idea is to construct a ranking structure, of a novel kind, 
extending previous work in this area. To verify whether a MCS has such a ranking 
structure, we use an algorithm based on SAT solving. We implemented our algo- 
rithm and evaluated it in extensive experiments. The results demonstrate the power 
of our approach and show that its integration into termination analyzers for Java 
Bytecode advances the state of the art of automated termination analysis. 

Acknowledgment. We thank Saniir Genaim for help with the benchmarking. 
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Appendix A Proofs 

Theorem 9 

If there is a ranking structure for Q, then Q terminates. 

Proof 

Suppose that Q has an infinite run s ~ Pa{xa) -^ Pi{xi) — S- ^2(^2) ■ • • • Let H be 
the set of transition rules that are applied infinitely often in this run. Using the 
notation of Def. [71 choose g € Ji such that i{g) is minimal. Then g is a <i>i(g)-anchor 
for a subset of Q containing Ti. Consider the infinite tail of s that stays within Ti 
and note that it includes infinitely many occurrences of g. Using Def. El it is not 
hard to show that there is an infinite sequence ii < i2 < is < • • ■ , such that for all 
fc > 0, <^i(g){pi,{xi^)) G 2?+, and in addition, ^^{g){p^,{x^^)) >- ^^{g){p^,+A^^k+l))■ 
This contradicts the well-foundedness of 2?+ , thus we conclude that such an infinite 
run cannot exist. D 

Lemma I4 

For all fi £ {max,min,ms,dms}, (pn(Z),^^) is a total quasi-order, with >-^ its 

strict part; and (pn(^)jfc^)+ is well-founded. 

Proof 

The claims are straightforward for the max and min orders. For the multiset orders, 
since our value domain (Z) is totally ordered, we will justify the claims by referring 
to properties of the lexicographic order. Let S,T £ pnC^)- For the multiset order 
{ms), let tup{S) be the tuple consisting of the elements of S in non-increasing order. 
If 5* 7^ T, then either one tuple is a prefix of another (then the larger multiset is 
also greater under y^'^), or there is a first position where the elements differ. If in 
this first position the element of S is larger, it is easy to show that S >-"^^ T. Thus, 
yjns agrees with the lexicographic ordering on the tuples, which proves that it is a 
total quasi-order (in fact, a total order). 

Multisets in (p„(Z), ^™'*)+ map to tuples of non-negative integers; it is well- 
known that the lexicographic order on tuples of non-negative integers is well- 
founded. 

For ;^''™^ we argue in the same way, using tuples in non-decreasing order. D 

Lemma 16 

Let L,H he two multisets of compatible types ^Lif-H, and let ^£) be the type of 

H — L. Let L', H' be of the same types a,s L,H respectively. Then 

H yf" H' A L ;<'''' L' =^ H - L ^f"" H' - L'; 
H ^^« H' AL ;^''^ L' =^ H - L ^''" H' - L'; 
H ^''« H' AL ^''^ L' =^ H - L ^''" H' - L' . 

In order to prove Lemma 16 we first need the following definition and lemma. 
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Definition 17 [multiset negation) 

Let S = { si, S2, ■ • ■ 7 Sn } be a multiset of integers. The negation of S, {—S), is 

{ -si, -S2, ■ • • , -s„ }. 

Lemma 18 

Let S^T be non-empty multisets. 

1. If S >z""''-' T then (-T) >:'""' {-S) and if 5 ^"°^ T then (-T) ^™" (-5"). 

2. If S- ^™™ T then (-T) ^'"'^^^ (-S*) and if S )-"" T then (-T) ^""^ (-S"). 

3. If S >z"'' T then (-T) ^'''"'' (-5) and if S* >-™" T then (-T) >-'^™" (-5). 

4. If 5 ^''™" T then (-T) ^"^ (-5) and if S ^''™" T then (-T) ^"'^ (-5). 

Proo/ 

We only prove (3), since (1) and (2) arc trivial and (4) is similar to (3). S ^™* 
T ^S >^'"" T holds iff S* = T and in this case (-T) ^'^™" (-5) by the definition. 
Let S ^'"'^ T. We need to prove that (-T) >-*"^ (-5). 

Let C = S* n T, Srest = 5 \ C and Trest =T\C. Now we can express (-5) and 
(-T) in the following way: (-5) = (-C) U (-Srest) and (-T) = (-C) U (-Trest)- 
By the definition of ^"^ 5,e.t ^"'"" T^est- So (-T.^.t) ^™" (-5,e.t)- According 
to the definition of >-*"^ we conclude that (-T) >-''™'* (-5). D 

Next we prove Lemma 16. 

Proof 

The following properties are easy to prove: 

(i) If the elements of two multisets S and T can be put in one-to-one correspondence 
(si, ti) such that Si > ti in all pairs, then S ^^ T for all /i. If for all pairs si > ti, 
then S >-'' T. 

(ii) If H, H' are multisets and c G Z, then shifting all elements of both sets by c 
preserves the order relations among them. 

Now we will prove the lemma for each of the cases. 

1. ^L = tnax: According to property (ii) we have 

H >3^« H' ^ { h- max(L') \ heH } >:^« { h' - max(L') \ h' e H' } 

That is, H - L' >z^" H' - L' . In the same way we can see that H >-''" H' => 

H -L' yt'" H' - L'. 

Since max(L') > max(L), according to property (i) we have H — L ^^^" H — L' 

and if max(L') > max(L) then H - L ^^« H - L' . 

By transitivity, 

H -L >3'^« H -L' A H -L >;^« H' - L' => H - L >z^" H' - L' 

and if one of the orderings is strict then H — L y^'^ H' — L' . 

2. ^L — min: The proof is similar to (1). 
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3. ^L = mSjfj.H = min: Given L ;^™* L' and H J^™™ H', according to Lemma fTSJ 
we have (-L) >;''™" (~i') and {-H) ;^'"'^^ {-H'). According to part (1) of the 
proof, we obtain {-L - {-H)) ^*"" {-L' - {-H')). 

Moreover, by Def.[l5](l), {-L - (-H)) = { {-i) ~ max{-H) \ (-£) e (-L) } = 

{min{H)-i\ leL }= i/-L by Dcf.[l5](2). Similarly (-L'-(-iJ')) = ^'--^'■ 

So H - L >:*"" H' - v. 

We can easily see that if L ^"" V or H ^"'" H' then iJ - L >-'*'"" H' - L'. 

4. /Xi = ms,fiH = max: The proof is similar to (3). 

5. /ii = dms, fiH = rnin: The proof is similar to (3). 

6. fj,L = dms, fiH = min: The proof is similar to (3). 

Theorem 23 

Let Q he a MCS and / a level mapping. Let g = p(a;) :- tt; (7(2/) be such that every 
cycle C including g satisfies these conditions: (1) all transitions in C are oriented 
by /, and at least one of them strictly; (2) at least one transition in C is bounded 
w.r.t. /. Then 5 is a ^/-anchor in Q, where $/(p(a;)) = p/^ (x) — p'i""(x). 

Proof 

Consider a run po{xo) ^ Pi(Si) ^ ... ^' Pk{xk) ^ Pk+i{xk+i) where both 
Po(xq) -^ Pi{xi) and Pk{xk) -^ Pk+i{xk+i) correspond to the transition rule g. 
By assumption (1) of the theorem, and Corollarv [22l <^j{pi{xi)) ^ $/(pi+i(a;i+i)) 
for all < i < fc, and, moreover, at least one of these inequalities is strict. By 
assumption (2), and Def. [191 we have (^f{pi{xi)) e P+ for some < i < fc. 
We conclude that <? is a $/-anchor for Q. D 

Theorem 28 
MCNP is in NP. 

Proof 

Let Q be an MC system. If it is in MCNP, there is a ranking structure of polynomial 
size (see Def. [10] and subsequent comment). The following evidence suffices for 
verifying the ranking structure: 

1. The list of level mappings, given explicitly: that is, for each program point, 
the high and low sets are listed. 

2. For each level mapping /*, the transition rules claimed to be oriented or 
strictly oriented by /' and those that are claimed to be bounded with respect 
to it; and additional information used to verify that these conditions hold. 

The additional information mentioned last consists of the set of arcs, from the MC 
graph representation, that proves the desired relation among multisets, according 
to the observations given in Sect. [H For example, to prove tt |= 5* >J^°-^ T, we 
require a list of pairs {x,y) with x ^ S and y Cz T that satisfy tt \^ x > y, and 
include all j/ G T. 

This information has polynomial size and can be verified in polynomial time 
by the following algorithm. First, locally, (strict) orientation and boundedness are 
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verified with the aid of the supphed information. Secondly, a counter i is initiahzed 
to 1. The $ji anchors are found, according to Thm. 23, by a polynomial-time graph 
algorithm (based on depth- first search). Then they are removed, i is incremented, 
and the procedure is repeated. When the list is exhausted, Q should be vacant; 
otherwise, the verification fails. D 

Theorem 29 

The main algorithm succeeds if and only if Q satisfies MCNP. 

Proof 

If the algorithm succeeds, returning p = (f^,P, . . .), then ($^i , $j2, . . .) is a rank- 
ing structure for Q: this is immediate from the definition of a ranking structure, 
provided the correctness of the sub-procedures that identify anchors. 

In the other direction, we assume that ('I'/i, ^p, ■ • ■) is a ranking structure for 
G, and prove that the algorithm succeeds. 

Consider any iteration of the main loop, and let C be the SCC popped from the 
stack. We claim that there exists an MCNP IRF for C: indeed, using the notation 
of Def. [71 choose g G C such that i{g) is minimal. Then ^pig) anchors g for a subset 
of Q that contains C. Our search procedure will find an MCNP IRF (though not 
necessarily the same), and will remove one or more anchors. Thus, at the completion 
of each iteration, a non-empty set of transition rules has been removed from C. The 
contents of the stack are, therefore, a set of SCCs which are strictly reduced (with 
respect to the number of arcs) in each iteration, which proves that the algorithm 
terminates. It will not abort, as we have just argued that the search for a level 
mapping and anchors must succeed. D 

Lemma 31 

Let g, /, 5", and B be as in Sect. [O] Then, .g G ^ is a MCNP-anchor for g w.r.t / 
if and only if: {1) g G S C\ B] or (2) there are node numberings numg and nums 
agreeing with 5* and B respectively, such that Anums{g) ^ and l\numB{g) 7^ 0. 

Proof 

Let g = p{x) :- tt; q{y). li p = q, it is easy to see that g is an anchor w.r.t. / if and 

only ii g £ S n B. Case (2) is impossible ii p = q. Next, let p ^ q. 

First, suppose that a node numbering as required does exist. Now if C is a cycle 
including 5, the nums values on this cycle are not all equal; so there must be a 
g' = p'{x') :- Tr';q'{y') € C for which nums{p') > nums{q')- Every transition rule 
with such numbering was required to be in S. A similar argument shows that C must 
include a bounded transition rule. Thus, g satisfies the requirements in Thm. 23, 
justifying the "if" part of the lemma. 

For "only if," suppose that g is an anchor. Let 5^ — g\B. Assign numbers to the 
strongly-connected components of gs in reverse-topological order (recall that SCCs 
form an acyclic graph) . So if components Ci , C2 are connected by an arc from Ci 
to C2, then Ci has the larger number. For any program point in an SCC, let numB 
map it to the number assigned to this SCC. Clearly, this numbering agrees with 
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B; every transition rule g such that AnuniBig) > is not in Qb- In a similar way 
we define nums{g). Now, every cycle through g includes an arc of B: this means 
that the end-points of g are not in the same SCC of Qb- Either g itself is in B, or g 
connects different SCCs; in either case, AnumBig) =/= 0. Similarly, Anums{g) =/= 0. 
The required conclusion is satisfied. D 

Appendix B Summary of Experiments 

We provide here more information on the experimental results in Sect.IHl For further 



details we refer to http://aprove.informatik.rwth-aachen.de/eval/MCNP 



Benchmark Suite 1 

Table IB II gives the number of proofs, the average runtime, and the maximum run- 
time for our MCNP implementation on the 81 examples from Suite 1. Out of 81 
MCSs of the MC transition system, MCNP could show termination for 66 of them. 
The maximum runtime of 5.15 seconds was needed on the instance WTC/sipma91 
consisting of 15 MC transition rules with up to 12 argument positions (source + 
target) and up to 60 individual order constraints in a single monotonicity constraint. 

Table B 1. Result Summary for Suite 1 



Tool 


Proofs 


Avg. Time 


Max. Time 


MCNP 


66/81 


0.55 s 


5.15 s 



32 of the examples from Suite 1 originate from the evaluation of the paper ( Fuhs 
et al. 2009) with the termination prover AProVE. Table IB 21 compares the results 
from our experiments with MCNP to the experiments with AProVE. Here the new 
column T/o (60 s) denotes the number of timeouts, i.e., examples where the runs 
were aborted after exceeding a time limit (here 60 seconds). The column Solved- 
only gives the number of examples that were solved by the tool in question, but 
not by the other one (i.e., there was 1 example that was solved by AProVE, but not 
by MCNP). Since in some of the runs timeouts occurred, we mention two numbers 
for the average runtime: Avg. Time (excl. t/o) gives the average runtime on the 
examples where the tool in question had no timeouts, and Avg. Time (incl. t/o) 
denotes the average runtime on all examples in the example suite, where timeouts 
are counted by the value of the time limit (i.e., here 60 seconds). 

Benchmark Suite 2 

Table IB 31 compares the results of our experiments to those of COSTAwhen ap- 
plied with a timeout of 120 seconds on the examples of Suite 2. The columns in 
this table are the same as explained for Table IB 21 From the 392 SCCs in the MC 
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Tabic B2. Result Summary for Suite 1 on Instanees from (jFuhs et al. 2009|) 



Tool Proofs Avg. Time Avg. Time Max. Time T/o Solved-only 
(cxcl. t/o) (incl. t/o) (60 s) 



MCNP 27/32 0.22 s 0.22 s 4.22 s 

AProVE 28/32 5.30 s 12.14 s > 60.00 s 



transition systems in this suite, MCNP could show termination of 296 of them. 
The maximum runtime for MCNP (16.31 seconds) was needed on the example 
Julia_10_Recursive/Test6, consisting of 36 MC transition rules with up to 16 
argument positions and up to 51 individual order constraints in a single monotonic- 
ity constraint. 

Table B3. Result Summary for Suite 2 



Tool Proofs Avg. Time Avg. Time Max. Time T/o Solved-only 

(cxcl. t/o) (incl. t/o) (120 s) 



MCNP 92/165 0.662 s 0.662 s 16.31 s 

COSTA 102/165 0.076 s 3.709 s > 120.00 s 



5 
15 



Benchmark Suite 3 

Table IB 41 compares the results of our MCNP implementation to those of a variant 
of AProVE where we fix the abstraction to be the same as in the preprocessor for 
MCNP. Table iBSlcomparcs the results of MCNP to those of AProVE without fixing 
the abstraction. The columns in these tables are the same as explained for Table [B^ 
The timeouts of MCNP on this suite may be due to the increased complexity of 
the corresponding instances. For example, Julia_10_Iterative/Inf ix2Postf ix 
consists of 319 MC transition rules with up to 11 argument positions and up to 29 
individual order constraints in a single monotonicity constraint, and the example 
Julia_10_Iterative/Test9 has 56 MC transition rules with up to 14 argument 
positions and up to 158 individual order constraints in a single monotonicity con- 
straint. 

When executing MCNP with no timeout, one could show termination of 64 exam- 
ples with MCNP (the proof for the additional example Julia_10_Iterative/Test9 
needs 190.6 seconds), and MCNP can show termination of 74 of the 181 SCCs 
in the MCSs of this suite. MCNP's highest runtime is obtained on the example 
Aprove_09/SortCourLt with 971.7 seconds, and it is worth noting that this exam- 
ple consists of 50 MC transition rules with up to 212 individual order constraints 
in a single monotonicity constraint. 
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Tabic B 4. Result Summary for Suite 3 using AProVE with Fixed Abstraction 



Tool 


Proofs 


Avg. Time 
(excl. t/o) 


Avg. Time 
(incl. t/o) 


Max. Time 


T/o 
(60 s) 


Solved-only 


MCNP 63/127 
AProVE fix 73/127 


2.12 s 
11.08 s 


5.76 s 
14.16 s 


> 60 s 

> 60 s 


8 

8 


5 
15 


Table B 5. 


Result Summary for Suite 3 using . 


Full AProVE 






Tool 


Proofs 


Avg. Time 
(excl. t/o) 


Avg. Time 
(incl. t/o) 


Max. Time 


T/o 
(60s) 


Solved-only 


MCNP 
AProVE 


63/127 
95/127 


2.12 s 
9.58 s 


5.76 s 
17.12 s 


> 60s 

> 60 s 


8 
19 


3 
35 



